Summary. We collect the minimum personal data needed to provide the Services to you. We never sell your data. Customer Data submitted to the platform belongs to the Customer, is stored in cryptographically isolated tenants, and is processed only on the Customer's instructions. You have the right to access, correct, and delete your personal data at any time.
1. Scope and roles
This Privacy Policy applies to:
- Visitors to mudrium.com and related marketing pages;
- Users who register an Account or use the Services;
- Customers (organisations) that subscribe to the Services.
For data submitted by Customers into the platform ("Customer Data"), Mudrium acts as a data processor and the Customer is the data controller. For data we collect directly from visitors and users (account details, marketing communications, etc.), Mudrium acts as a data controller.
2. Information we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, work email, role, organisation, industry, phone, password (hashed) | You provide it at sign-up |
| Profile data | Job title, branch, department, profile photo, signature image | You / your administrator |
| Authentication | Session tokens, MFA codes, IP, user-agent, login timestamps | Automatically collected |
| Usage data | Pages viewed, features used, click events, error logs, latency | Automatically collected |
| Device data | Browser type, OS, screen size, language, timezone | Automatically collected |
| Communications | Support tickets, sales emails, demo-request submissions | You provide it |
| Billing data | Billing address, VAT/GST number, invoice history | You / payment processor |
| Customer Data | Transactions, allocations, memos, approvals, photos, signatures, etc. | Customer / Authorised Users |
3. How we use information
We use information for the following purposes:
- To provide the Services — authentication, account management, executing workflows, generating reports, rendering memos, processing approvals;
- To improve the Services — analytics, debugging, capacity planning, security monitoring, fraud prevention;
- To communicate — service announcements, security advisories, billing notifications, support responses;
- For marketing — to send product updates, blog posts, webinar invitations (you may opt out at any time);
- For legal and regulatory compliance — record-keeping required by NRB, tax authorities, anti-money-laundering law, or court order;
- To protect rights and safety — detecting and preventing abuse, fraud, unauthorised access, and security incidents.
4. Legal bases for processing
Where applicable law requires us to identify a legal basis for processing personal data, we rely on one or more of the following:
- Performance of a contract — to deliver the Services you have subscribed to;
- Legitimate interest — to operate, secure, and improve the Services;
- Consent — for optional features such as marketing communications and non-essential cookies;
- Legal obligation — to comply with applicable laws and regulatory directives.
5. Cookies and similar technologies
We use cookies, web beacons, and similar technologies for authentication, security, preference storage, and analytics. You can control cookies through your browser settings. Disabling cookies may impair Service functionality. We use a small number of strictly necessary cookies (required for authentication and security) and analytics cookies which you may opt out of.
6. How we share information
We do not sell personal data. We disclose information only:
- Within the Customer's organisation — to other Authorised Users with the appropriate role and permission;
- With service providers — cloud hosting (AWS, GCP), email delivery (SendGrid), analytics, error monitoring — all bound by confidentiality and data-protection obligations;
- For legal reasons — when required by law, court order, regulator, or to protect Mudrium's rights, property, or the safety of others;
- In a corporate transaction — in the event of a merger, acquisition, or sale of assets, with continuity of these privacy commitments.
7. Data security
Mudrium implements industry-standard security measures including AES-256-GCM encryption at rest, TLS 1.3 in transit, role-based access control (RBAC) with multi-factor authentication (MFA) on every privileged action, tamper-evident audit logs, automated backups, and continuous vulnerability scanning. We align with NRB Directive 6/080, SOC 2, and ISO 27001 controls (certification status disclosed on request).
No method of electronic storage or transmission is one-hundred percent secure. While we strive to use commercially acceptable means to protect personal data, we cannot guarantee its absolute security.
8. Data residency and international transfers
Customer Data for Customers operating in Nepal is hosted in data centres located in Nepal or the South Asia region by default. International transfers are made only with appropriate safeguards (such as standard contractual clauses) and only where strictly necessary for the provision of the Services. Specific data-residency arrangements can be agreed in an Order Form or Data Processing Addendum.
9. Data retention
Account data is retained for the duration of the subscription plus a thirty (30) day Export Window after termination, after which Customer Data is permanently deleted (subject to any legal retention requirement). Backup copies are retained for up to ninety (90) days and then destroyed. Aggregated and de-identified data may be retained indefinitely for analytics and product improvement.
10. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Correct inaccurate or incomplete data;
- Delete your personal data ("right to be forgotten");
- Restrict or object to certain processing;
- Withdraw consent at any time where processing is based on consent;
- Portability — receive a copy of your data in a machine-readable format;
- Lodge a complaint with a relevant supervisory authority.
To exercise any of these rights, email [email protected]. We will respond within thirty (30) days. Where you are an Authorised User of a Customer, you should contact your Customer organisation in the first instance, as we are typically the data processor.
11. Children's privacy
The Services are not intended for children under the age of sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it promptly.
12. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Updates will be posted on this page with a revised effective date. Material changes will be communicated through in-app notice or email where reasonably practicable.
13. Contact us
For questions about this Privacy Policy or our data practices, contact our Data Protection Officer:
Mudrium Pvt. Ltd. · Attn: Data Protection Officer
Bhatbhateni, Kathmandu, Nepal
Email: [email protected]
Phone: +977 1-4000-000
© 2026 Mudrium Pvt. Ltd. This Privacy Policy is read together with our Terms of Use.